This video tutorial is a walkthrough of how you can analyze the PCAP file
(created by Brad Duncan).
The capture file contains a malicious Word Document (macro downloader), Emotet (banking trojan),
TrickBot/Trickster (banking trojan) and an EternalChampion (CVE-2017-0146)
exploit used to perform lateral movement.

AWS Builder Community Hub

Network Diagram

Network Diagram

Timeline of Events

FrameTime (UTC)Event
82518:55:32Malicious Word doc []
109918:56:04Emotet download []
502419:00:41Trickbot “radiance.png” download
960419:01:34Client credentials exfiltrated []
991519:01:36ETERNALCHAMPION exploit from client to DC
1042419:01:51Client sends .EXE files to \\\C$\WINDOWS\
1107819:01:51Client infects DC with Trickbot via rogue service
1431419:07:03DC credentials exfiltrated []

OSINT Links Opened

Tools Used

Network Forensics Training

Wanna improve your network forensics skills? Take a look at our
the next scheduled class is on March 18-19 at the
TROOPERS conference in Germany.

Facebook Share on Facebook  Twitter Tweet  Reddit Submit to

*** This is a Security Bloggers Network syndicated blog from NETRESEC Network Security Blog authored by Erik Hjelmvik. Read the original post at: